Mirai botnet: Attackers attack Zyxel routers and Mitel SIP phones
Attackers are currently attacking devices from Mitel and Zyxel. There is currently no security update for affected Zyxel routers.
(Image: antb/Shutterstock.com)
The Mirai botnet is expanding, and unknown attackers are currently compromising certain Zyxel routers and Mitel telephony devices. Security patches have been available for affected Mitel devices since last summer. No update is yet available for the vulnerable Zyxel CPE series routers.
The extent of the attacks is currently unknown. If infected devices are included in the botnet, they are primarily used as computing henchmen for DDoS attacks.
Patch now!
Security researchers from Akamai warn of the attacks on Zyxel SIP phones in an article. The vulnerability (CVE-2024-41710 “medium”) is said to be targeted by attackers using the malware Aquabot, which is based on the Mirai botnet. According to the researchers, this is now the third known version of the Trojan.
In this version, the malware is said to sound the alarm for the first time and contact the attackers' command and control servers if an attempt is made to deactivate the malicious functions on the device. According to the security researchers, however, they have not yet been able to reproduce this.
According to an alert issued by Mitel in July 2024, this specifically affects the 6800 Series SIP Phones, 6900 Series SIP Phones, 6900w Series SIP Phones and 6970 Conference Unit models. The firmware R6.4.0.HF2 (R.6.4.0.137) provides a remedy. In their report, the researchers list several indicators (IOCs) by which admins can recognize attacks that have already taken place.
Waiting for a security patch
The Zyxel router vulnerability (CVE-2024-40891) has also been known since July last year. However, a classification of the threat level is still pending. Security researchers from Greynoise classify it as “critical” in an article. This is a zero-day vulnerability for which there is not yet a security update.
It is not yet clear when this will be released. To date, there has also been no warning message from Zyxel regarding this security issue. An answer to an inquiry from heise Security is still pending.
Attackers use prepared HTTPS requests to access the vulnerability without authentication to execute their commands on devices. A search result from the Internet Intelligence Platform Censys shows that around 1500 vulnerable devices are currently accessible online.
Videos by heise
To temporarily protect devices until a patch is released, admins should monitor network traffic for unusual Telnet requests and restrict admin access to trusted IPs. Of course, this does not provide one hundred percent protection against attacks.
(des)
